Restrict acces to port based on client IPs

Similar Messages

• ACE: Can I loadbalance based on client Source IP/and client tcp source port?

  We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm.  Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm.  Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions?  The application does not require persistence.

  Hello,
  Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
  Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
  Regards Jean-Marc

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

  Dear All,
  We are having an infrastructure setup of around 500 client computers managed through group policy.
  Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
  Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
  It would be great if you can assist me with the following query.
  How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
  Can we disable Network Tab on the left hand pane ?
  explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

  >   * explorer.exe is blocked already, but users are able to enter the
  >     Windows Explorer by clicking on the name which is visible on the
  >     Start Menu.
  You cannot block explorer.exe when you do not replace the shell - the
  desktop you see effectively IS explorer.exe...
  Your requirement sounds like you need a custom shell:
  http://gpsearch.azurewebsites.net/#2812
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Specify the port in the client in a TCP connection

  Hi,
  I am programming an application using TCP sockets. I have programmed a server whith a SocketServer(port) and is waiting for client's requests (the server is a public host in the Internet). The client connect to the server by means of the method:
  Socket s = new Socket(host, port);
  That works correctly, but now I want to specify the port in the client. The client's PC in a machine on the Internet and it has a public IP. I tried to use the method:
  Socket(String host, int port, InetAddress localAddr, int localPort)
  where localAddr is the local IP of the client' PC (because I cannot know the public IP).
  However, it doesn't work this method and the client cannot connect to the server. The problem is that I want to specify the port in the client in the socket TCP connection when I try to connect to the host.
  How can I resolve this problem?
  Thaks

  I want to specify the port in the clientWhy?

• Port-Based Authentication on 877

  Hi 
  I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
  authentication control-direction in
  authentication event fail retry 1 action authorize vlan xx
  authentication event no-response action authorize vlan xx
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication port-control auto
  authentication violation protect
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
  Anyone can please let explain me why it is happing 
  Regards,

  Any input?

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Best practices for securing communication to internet based SCCM clients ?

  What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ?  should 3rd party SSL certs be used ?  When doing an inventory for example of the clients configuration in order to run reports
  later how the  data be protected during transit ?

  From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
  and also provide an authentication mechanism.
  From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
  certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
  properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Communicate via serial port/ethernet from client app

  Hi
  Is it possible to communicate between the client serial port and an Apex application?
  (or from the application to an ethernet device).
  I need to link an application to a weighing machine and send/receive information via an Apex application. The interface will either be a serial port on the client or the weighing scales could also be connected as a network device.
  Any ideas?
  Thanks
  Kathryn

  There are active-x controls that you can use (http://www.activexperts.com/activcomport/howto/html/).. Otherwise you could try writing a small java applet to do this on the client end, don't know enough about your requirements to offer more.. Does the vendor of hardware have a solution?
  (Issue with this would be, non-ie browsers MIGHT not want to run vbscript or active-x controls..)
  Thank you,
  Tony Miller
  Webster, TX

• How to install a java based irc client into a hand...

  I've tried to install a java-based irc-client, but all I get is a webpage thanking for downloading. Something is updated for a while, but no application nor any new files seem to have been stored into the handheld nor mem-card.
  Is there a way to installa programs straight from the web other than Ovi-service. I dod not find any links nor feature to browse outside the OVI-store selection. Ovi however loaded with the installer in my phone, XpressMusic 5310.
  B.Sc Information tech
  Phones I have or used to have: ancient Ericsson, Nokia: 6510, 2610, 5310 XpressMusic

  Hey you can create java client using Eclispe or WSAD or far that matter any other IDE. crate a project save the WSDLs in a package. Right click on WSDL goto webservice option. From there you can generate client.
  cheers,
  sapan
  Is it still open ?
  cheers,
  sapan
  Edited by: sapan on Feb 25, 2009 1:17 AM

• Port based routing?

  Hi,
  My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
  And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
  Is this possible?

  Did you find any solution?
  I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
  The fwd action does not change the contents of the packet at all.
  In particular, the destination address remains unmodified, so
  packets forwarded to another system will usually be rejected by
  that system unless there is a matching rule on that system to
  capture them.
  Then there is natd? I'm not sure if this can be used..
  And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled".

• Port Based MPLS

  Dear Gurus,
  Im trying to configure port based mpls, however i find my 7206 doesnt support any encapsulation mpls, only l2tpv3. Is this IOS dependency?
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
  R2(config-if)#xconnect 3.3.3.3 100 encapsulation ?
    l2tpv3  Use L2TPv3 encapsulation
  tia.

  Hello Jepoy,
  according to feature navigator it is  supported on C7200 port mode C7200
  but you need some specific feature sets
  like
  c7200-adventerprisek9-mz.124-24.T2.bin
  I have a pair of C7200 with advanced security and xconnect is not supported on them
  Hope to help
  Giuseppe

• Joining spreadsheets based on Client Id Number

  Hi
  I have two spreadsheets .
  Spreadsheet 1 has sales rep name , client id , name of client
  Spreadsheet 2 has client id ( not in same sequence as spreadsheet 1 ) , client name , client address , tel numbers
  I would like to combine spreadsheet 1 , i.e. rep name , client id , name of client together with address and contact details on spreadsheet 2  . Spreadsheet one is based on client id , and only contains active client id numbers , whereas spreadsheet
  2 contains all existing client id numbers .
  How do I do it ?

  Assuming Client ID is in column B of both SS1 and 2, and by spreadsheet you mean separate files, not separate tabs within one workbook.
  Open both spreadsheets, then in SS1 type in a cell on row 2 of the first blank columns to the right of your data:
  =VLOOKUP($B2,
  then navigate to SS2, and select the entire columns of information with Client ID as the first column of the selection, and press F4 until you get all $ for both columns, (should look like this:
  =vlookup(B2,'[File Name.xlsx]Sheet Name'!$B:$E
  and then type 
  , COLUMN(B2), False)
  and press Enter. Then copy that cell down and to the right to match your data set and extract as many columns of data as you have.

• Change WOL Port number for clients

  Hi All
  We want to implement in our environment WOL functionality , for WSUS deployment and scheduled OSD deployments
  We cannot unfortunately implement the default UDP port 9
  My question is how can we change that default port on the clients?
  I know that we can change the port on the primary server -> Site configuration -> Sites -> Properties primary site server -> tab 
  Port and here we can change the port number of Wake on Lan
  For the client I noticed that there is a client setting -> Power Management -> Wake on Lan port Number (UDP) but that number is grayed out and set to 9
  Also when I create a custom Client Setting that port number is grayed out and set to 9
  How can I change that port number for the client?
  Thx in advance
  Regards,
  Johan

  The port number in Client Settings/Power Management is grayed out because "Enable wake-up proxy" is disabled. When you enable it, it becomes available. Be aware that wake-up proxy and wake on lan is 2 different things. (Beware mac address flapping)
  To change the Wake On Lan port go to, primary server -> Site configuration -> Sites -> Properties
  primary site server -> tab  Port.
  Wake On LAN port number (UDP)
  For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:
  Keep the default value of 9, unless you have changed the Wake On LAN (UDP) port number in the site Properties, Ports tab.
  Important
  This number must match the number in the site Properties. If you change this number in one place, it does not automatically update in the other place.
  Benoit Lecours | Blog: System Center Dudes

• Restricting access to link based on a user's accesslevel

  I've gotten the DW login feature working for restricting
  access to pages based on a user's successful login and associated
  accesslevel. However, I have some links that open an Excel
  spreadsheet and an Outlook calendar. Is there an easy way to
  restrict access to a link so that an unauthorized user can't
  navigate to the link? Here's my code for the link:
  <td height="19" colspan="3"
  valign="top"><em><strong><a
  href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current Production
  Schedule (Read Only)">STI Production Schedule
  </a></strong></em></td>
  <td height="4%" valign="top"><strong><a href="
  http://server_3/public/cal_engineering/"
  title="FROM INTRANET"><font size="2" face="Verdana, Arial,
  Helvetica,
  sans-serif">INT</font></a></strong></td>

  What server side language are you using? Do the links need to
  be restricted
  to just one access level, or multiple levels? Should it be
  blocked for only
  one level or multiple?
  Bryan Ashcraft (remove brain to reply)
  Web Application Developer
  Wright Medical Technologies, Inc.
  =============================
  Macromedia Certified Dreamweaver Developer
  Adobe Community Expert (DW) ::
  http://www.adobe.com/communities/experts/
  "mslee1965" <[email protected]> wrote in
  message
  news:e52o7e$3ak$[email protected]..
  > I've gotten the DW login feature working for restricting
  access to pages
  > based
  > on a user's successful login and associated accesslevel.
  However, I have
  > some
  > links that open an Excel spreadsheet and an Outlook
  calendar. Is there an
  > easy
  > way to restrict access to a link so that an unauthorized
  user can't
  > navigate to
  > the link? Here's my code for the link:
  >
  > <td height="19" colspan="3"
  valign="top"><em><strong><a
  > href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current
  Production Schedule
  > (Read
  > Only)">STI Production Schedule
  </a></strong></em></td>
  >
  > <td height="4%" valign="top"><strong><a
  href="<a target=_blank
  > class=ftalternatingbarlinklarge
  > href="
  http://server_3/public/cal_engineering/"">http://server_3/public/cal_engin
  > eering/"</a> title="FROM INTRANET"><font
  size="2" face="Verdana, Arial,
  > Helvetica,
  sans-serif">INT</font></a></strong></td>
  >
  >